Snort mailing list archives
Tagging into the DB and back out again
From: "Sean Wheeler" <s.wheeler () netprotect ch>
Date: Fri, 30 May 2003 20:39:54 +0200
Hi, Creating a rule using tagging and logging to DB works great. Except that their is a unique id for each tagged packet (example 20 packets logged into the DB) One of those packets aka ID's refer to the starting alert and others are the tagged packets. So when viewing the results from a frontend : Traditionally each unique ID refers to a unique event....but in the case of tagging 20 unique ID's refer to a single instance of an alert being triggered, with 20 following packets. So getting the info into the DB is not a problem, it's reading it back out into a usable/readable and user followable manner. I would like to indicate via the frontend : 1 instance of "WOOP !! Alert for HTTP Tagging custom alert" and not 20 instances of "WOOP !!Alert......" When clicking on the above example(1 instance of "WOOP"), a story of the next 20 following packets is displayed, so that you can follow the conversation ( whole point behind tagging) Issues : Each tagged packet has a Unique ID. tagging can be done over X count in seconds OR X count in packets with either following the session or the host (direction flag) tag type If you have the rules parseable you could look at how the tagging was constructed and then strip out the relevant packets, which comprise a tagged alert. But let's assume you used the tag type host, if you tried to assemble the 20 packet tagged alert, you could end up with a mixed up tagged story if that host was running multiple simultaneous sessions which were logged to the DB. -- Bottom line is my little brain is going around and around playing the whatifhowabout. Architecture : Snort 2 logging to a Mysql DB. Request : If anyone has ideas regarding the reassembly of tagged sessions from a DB and the differentiating of a tagged session from a traditional session, I would love to hear your ideas, as my Friday evening slightly toasted brain is taking strain on finding a reliable manner in which to do this. regards Sean ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tagging into the DB and back out again Sean Wheeler (May 30)